Spaces:
Sleeping
Sleeping
| import { describe, expect, it, vi } from 'vitest' | |
| function setNodeEnv(value: string) { | |
| ;(process.env as Record<string, string | undefined>).NODE_ENV = value | |
| } | |
| describe('proxy host matching', () => { | |
| it('allows the system hostname implicitly', async () => { | |
| vi.resetModules() | |
| vi.doMock('node:os', () => ({ | |
| default: { hostname: () => 'hetzner-jarv' }, | |
| hostname: () => 'hetzner-jarv', | |
| })) | |
| const { proxy } = await import('./proxy') | |
| const request = { | |
| headers: new Headers({ host: 'hetzner-jarv' }), | |
| nextUrl: { host: 'hetzner-jarv', hostname: 'hetzner-jarv', pathname: '/login', clone: () => ({ pathname: '/login' }) }, | |
| method: 'GET', | |
| cookies: { get: () => undefined }, | |
| } as any | |
| setNodeEnv('production') | |
| process.env.MC_ALLOWED_HOSTS = 'localhost,127.0.0.1' | |
| delete process.env.MC_ALLOW_ANY_HOST | |
| const response = proxy(request) | |
| expect(response.status).not.toBe(403) | |
| }) | |
| it('keeps blocking unrelated hosts in production', async () => { | |
| vi.resetModules() | |
| vi.doMock('node:os', () => ({ | |
| default: { hostname: () => 'hetzner-jarv' }, | |
| hostname: () => 'hetzner-jarv', | |
| })) | |
| const { proxy } = await import('./proxy') | |
| const request = { | |
| headers: new Headers({ host: 'evil.example.com' }), | |
| nextUrl: { host: 'evil.example.com', hostname: 'evil.example.com', pathname: '/login', clone: () => ({ pathname: '/login' }) }, | |
| method: 'GET', | |
| cookies: { get: () => undefined }, | |
| } as any | |
| setNodeEnv('production') | |
| process.env.MC_ALLOWED_HOSTS = 'localhost,127.0.0.1' | |
| delete process.env.MC_ALLOW_ANY_HOST | |
| const response = proxy(request) | |
| expect(response.status).toBe(403) | |
| }) | |
| it('allows unauthenticated health probe for /api/status?action=health', async () => { | |
| vi.resetModules() | |
| vi.doMock('node:os', () => ({ | |
| default: { hostname: () => 'hetzner-jarv' }, | |
| hostname: () => 'hetzner-jarv', | |
| })) | |
| const { proxy } = await import('./proxy') | |
| const request = { | |
| headers: new Headers({ host: 'localhost:3000' }), | |
| nextUrl: { | |
| host: 'localhost:3000', | |
| hostname: 'localhost', | |
| pathname: '/api/status', | |
| searchParams: new URLSearchParams('action=health'), | |
| clone: () => ({ pathname: '/api/status' }), | |
| }, | |
| method: 'GET', | |
| cookies: { get: () => undefined }, | |
| } as any | |
| setNodeEnv('production') | |
| process.env.MC_ALLOWED_HOSTS = 'localhost,127.0.0.1' | |
| delete process.env.MC_ALLOW_ANY_HOST | |
| const response = proxy(request) | |
| expect(response.status).not.toBe(401) | |
| }) | |
| it('still blocks unauthenticated non-health status API calls', async () => { | |
| vi.resetModules() | |
| vi.doMock('node:os', () => ({ | |
| default: { hostname: () => 'hetzner-jarv' }, | |
| hostname: () => 'hetzner-jarv', | |
| })) | |
| const { proxy } = await import('./proxy') | |
| const request = { | |
| headers: new Headers({ host: 'localhost:3000' }), | |
| nextUrl: { | |
| host: 'localhost:3000', | |
| hostname: 'localhost', | |
| pathname: '/api/status', | |
| searchParams: new URLSearchParams('action=overview'), | |
| clone: () => ({ pathname: '/api/status' }), | |
| }, | |
| method: 'GET', | |
| cookies: { get: () => undefined }, | |
| } as any | |
| setNodeEnv('production') | |
| process.env.MC_ALLOWED_HOSTS = 'localhost,127.0.0.1' | |
| delete process.env.MC_ALLOW_ANY_HOST | |
| const response = proxy(request) | |
| expect(response.status).toBe(401) | |
| }) | |
| }) | |